linux_wiki:openssl

This is an old revision of the document!


OpenSSL

General Information

Openssl is a tool to perform many certificate related tasks such as creating a CSR, verifying certs+keys, and converting formats.

Checklist

  • Distros: All

  • Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format.
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Or
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
  • PKCS #7 B (P7B) - Represents a set of certificates. (IE a certificate chain)
  • PKCS #12/PFX/P12 - Lets you put a private key and certificate into a single file.
  • Distinguished Encoding Rules (DER) - Binary format most commonly used to represent certificates.

  • .crt - Used for certificates, commonly on *nix systems.
  • .cer - Used for certificates, commonly on Windows.
  • .key - Public/private pkcs keys, encoded as binary DER or ASCII PEM.

openssl req -new -newkey rsa:2048 -nodes -out MYSITE.csr -keyout MYSITE.key
openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr
openssl x509 -x509toreq -in MYSITE.crt -out MYSITE.csr -signkey MYSITE.key

openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem
openssl x509 -outform der -in MYSITE.pem -out MYSITE.der
openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes
openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem
openssl rsa -in mysite.key.pem -out mysite.key
openssl pkcs12 -in mysite.pfx -clcerts -nokeys -out mysite.crt

Convert p7b to PEM combined, then convert to bundle of certs

openssl pkcs7 -inform DER -outform PEM -in mysite.p7b -out mysite.p7b.pem
openssl pkcs7 -print_certs -in mysite.p7b.pem -out mysite.p7b.bundle

View the “mysite.p7b.bundle” file:

  • The top BEGIN/END block is the client cert
    • Copy that single BEGIN/END into a new file for the client cert
  • The rest is the certificate chain
    • Copy all the rest into a new file for the intermediate chain cert

Openssl can be used to very that a certificate and key match.

Compare to ensure they match

openssl x509 -noout -text -in mysite.crt
openssl rsa -noout -text -in mysite.key

Similar method, but running output through md5 hash for a shorter comparison

openssl x509 -noout -text -in mysite.crt | openssl md5
openssl rsa -noout -text -in mysite.key | openssl md5

Display Certificate Contents

openssl x509 -in mysite.crt -text

Display CSR Contents

openssl req -in mysite.csr -text

To verify that an intermediate cert and client certificate pass a chain of authority test:

openssl verify -CAfile mysites_intermediate.crt mysite.crt
  • linux_wiki/openssl.1430261109.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)